macOS release: sign payload

Add step two of the macOS release process to download the unsigned payload,
use ESRP to sign it, and upload the signed payload as an artifact.

Additionally, genericize the existing run_esrp_signing.py script to allow
for signing of macOS payload/pkg and Windows exes in addition to Debian
packages.

Author: ldennington

.github/run_esrp_signing.py

@@ -1,3 +1,4 @@
+import argparse
 import json
 import os
 import glob
@@ -6,62 +7,60 @@
 import sys
 import re
 
+parser = argparse.ArgumentParser(description='Sign binaries for Windows, macOS, and Linux')
+parser.add_argument('path', help='Path to file for signing')
+parser.add_argument('keycode', help='Platform-specific key code for signing')
+parser.add_argument('opcode', help='Platform-specific operation code for signing')
+# Setting nargs=argparse.REMAINDER allows us to pass in params that begin with `--`
+parser.add_argument('--params', nargs=argparse.REMAINDER, help='Parameters for signing')
+args = parser.parse_args()
+
 esrp_tool = os.path.join("esrp", "tools", "EsrpClient.exe")
 
 aad_id = os.environ['AZURE_AAD_ID'].strip()
+# We temporarily need two AAD IDs, as we're using an SSL certificate associated
+# with an older App Registration until we have the required hardware to approve
+# the new certificate in SSL Admin.
+aad_id_ssl = os.environ['AZURE_AAD_ID_SSL'].strip()
 workspace = os.environ['GITHUB_WORKSPACE'].strip()
 
-source_root_location = os.path.join(workspace, "deb", "Release")
-destination_location = os.path.join(workspace)
-
-files = glob.glob(os.path.join(source_root_location, "*.deb"))
+source_location = args.path
+files = glob.glob(os.path.join(source_location, "*"))
 
 print("Found files:")
 pprint.pp(files)
 
-if len(files) < 1 or not files[0].endswith(".deb"):
-	print("Error: cannot find .deb to sign")
-	exit(1)
-
-file_to_sign = os.path.basename(files[0])
-
 auth_json = {
-	"Version": "1.0.0",
-	"AuthenticationType": "AAD_CERT",
-	"TenantId": "72f988bf-86f1-41af-91ab-2d7cd011db47",
-	"ClientId": aad_id,
-	"AuthCert": {
-		"SubjectName": f"CN={aad_id}.microsoft.com",
-		"StoreLocation": "LocalMachine",
-		"StoreName": "My",
-	},
-	"RequestSigningCert": {
-		"SubjectName": f"CN={aad_id}",
-		"StoreLocation": "LocalMachine",
-		"StoreName": "My",
-	}
+    "Version": "1.0.0",
+    "AuthenticationType": "AAD_CERT",
+    "TenantId": "72f988bf-86f1-41af-91ab-2d7cd011db47",
+    "ClientId": f"{aad_id}",
+    "AuthCert": {
+            "SubjectName": f"CN={aad_id_ssl}.microsoft.com",
+            "StoreLocation": "LocalMachine",
+            "StoreName": "My"
+    },
+    "RequestSigningCert": {
+            "SubjectName": f"CN={aad_id}",
+            "StoreLocation": "LocalMachine",
+            "StoreName": "My"
+    }
 }
 
 input_json = {
 	"Version": "1.0.0",
 	"SignBatches": [
 		{
 			"SourceLocationType": "UNC",
-			"SourceRootDirectory": source_root_location,
+			"SourceRootDirectory": source_location,
 			"DestinationLocationType": "UNC",
-			"DestinationRootDirectory": destination_location,
-			"SignRequestFiles": [
-				{
-					"CustomerCorrelationId": "01A7F55F-6CDD-4123-B255-77E6F212CDAD",
-					"SourceLocation": file_to_sign,
-					"DestinationLocation": os.path.join("Signed", file_to_sign),
-				}
-			],
+			"DestinationRootDirectory": workspace,
+			"SignRequestFiles": [],
 			"SigningInfo": {
 				"Operations": [
 					{
-						"KeyCode": "CP-450779-Pgp",
-						"OperationCode": "LinuxSign",
+						"KeyCode": f"{args.keycode}",
+						"OperationCode": f"{args.opcode}",
 						"Parameters": {},
 						"ToolName": "sign",
 						"ToolVersion": "1.0",
@@ -72,10 +71,27 @@
 	]
 }
 
+# add files to sign
+for f in files:
+	name = os.path.basename(f)
+	input_json["SignBatches"][0]["SignRequestFiles"].append(
+		{
+			"SourceLocation": name,
+			"DestinationLocation": os.path.join("signed", name),
+		}
+	)
+
+# add parameters to input.json (e.g. enabling the hardened runtime for macOS)
+if args.params is not None:
+	i = 0
+	while i < len(args.params):
+		input_json["SignBatches"][0]["SigningInfo"]["Operations"][0]["Parameters"][args.params[i]] = args.params[i + 1]
+		i += 2
+
 policy_json = {
 	"Version": "1.0.0",
 	"Intent": "production release",
-	"ContentType": "Debian package",
+	"ContentType": "binary",
 }
 
 configs = [
@@ -106,7 +122,7 @@
     '***', 
     result.stdout,
     flags=re.IGNORECASE|re.MULTILINE)
-printf(log)
+print(log)
 
 if result.returncode != 0:
 	print("Failed to run ESRPClient.exe")
@@ -117,6 +133,6 @@
 	with open(esrp_out, 'r') as fp:
 		pprint.pp(json.load(fp))
 
-signed_file = os.path.join(destination_location, "Signed", file_to_sign)
-if os.path.isfile(signed_file):
-	print(f"Success!\nSigned {signed_file}")
+for file in files:
+	if os.path.isfile(os.path.join("signed", file)):
+		print(f"Success!\nSigned {file}")

.github/set_up_esrp.ps1

@@ -0,0 +1,12 @@
+# Install ESRP client
+az storage blob download --file esrp.zip --account-key "$env:AZURE_STORAGE_KEY" --account-name gcmesrp --container microsoft-esrp-client --name microsoft.esrpclient.1.2.76.nupkg
+Expand-Archive -Path esrp.zip -DestinationPath .\esrp
+
+# Install certificates
+az keyvault secret download --vault-name "$env:AZURE_VAULT" --name "$env:AUTH_CERT" --file out.pfx
+certutil -f -importpfx out.pfx
+Remove-Item out.pfx
+
+az keyvault secret download --vault-name "$env:AZURE_VAULT" --name "$env:REQUEST_SIGNING_CERT" --file out.pfx
+certutil -f -importpfx out.pfx
+Remove-Item out.pfx

.github/workflows/release.yml

@@ -61,4 +61,65 @@ jobs:
         name: tmp.osx-build
         path: |
           payload
-          symbols
+          symbols
+  
+  osx-payload-sign:
+    name: Sign macOS payload
+    # ESRP service requires signing to run on Windows
+    runs-on: windows-latest
+    needs: osx-build
+    steps:
+    - name: Check out repository
+      uses: actions/checkout@v3
+
+    - name: Download payload
+      uses: actions/download-artifact@v3
+      with:
+        name: tmp.osx-build
+    
+    - name: Zip unsigned payload
+      shell: pwsh
+      run: |
+        Compress-Archive -Path payload payload/payload.zip
+        cd payload
+        Get-ChildItem -Exclude payload.zip | Remove-Item -Recurse -Force
+    
+    - uses: azure/login@v1
+      with:
+        creds: ${{ secrets.AZURE_CREDENTIALS }}
+    
+    - name: Set up ESRP client
+      shell: pwsh
+      env:
+        AZURE_STORAGE_KEY: ${{ secrets.AZURE_STORAGE_KEY }}
+        AZURE_VAULT: ${{ secrets.AZURE_VAULT }}
+        AUTH_CERT: ${{ secrets.AZURE_VAULT_AUTH_CERT_NAME }}
+        REQUEST_SIGNING_CERT: ${{ secrets.AZURE_VAULT_REQUEST_SIGNING_CERT_NAME }}
+      run: |
+        .github\set_up_esrp.ps1
+    
+    - name: Run ESRP client
+      shell: pwsh
+      env:
+        AZURE_AAD_ID: ${{ secrets.AZURE_AAD_ID }}
+        # We temporarily need two AAD IDs, as we're using an SSL certificate associated
+        # with an older App Registration until we have the required hardware to approve
+        # the new certificate in SSL Admin.
+        AZURE_AAD_ID_SSL: ${{ secrets.AZURE_AAD_ID_SSL }}
+        APPLE_KEY_CODE: ${{ secrets.APPLE_KEY_CODE }}
+        APPLE_SIGNING_OP_CODE: ${{ secrets.APPLE_SIGNING_OPERATION_CODE }}
+      run: |
+        python .github\run_esrp_signing.py payload $env:APPLE_KEY_CODE $env:APPLE_SIGNING_OP_CODE --params 'Hardening' '--options=runtime'
+    
+    - name: Unzip signed payload
+      shell: pwsh
+      run: |
+        Expand-Archive signed/payload.zip -DestinationPath signed
+        Remove-Item signed/payload.zip
+
+    - name: Upload signed payload
+      uses: actions/upload-artifact@v3
+      with:
+        name: osx-payload-sign
+        path: |
+          signed